Chapter 10 Implementing Group Policy 10 Learning Objectives Understand Group Policy concepts Plan an effective Group Policy design Implement Group Policy 2 10 Overview of Group Policies Group policies are a set of configuration settings that an administrator applies to one or more objects in the Active Directory store A group policy consists of settings that govern how an object and its child objects behave Group policies provide users with a fully populated desktop environment Conflicts can exist between group policies and local needs 3 Understanding Group Policy Concepts 10 Windows NT 4 0 System Policies Applied only to domains Limited to Registry based settings Not written to a secure location of the Registry Often last beyond their useful life spans Can be applied through NT domain security groups 4 Understanding Group Policy Concepts 10 Windows 2000 Group Policy Can be applied to sites domains or OUs Can be applied through domain security groups Written to a secure section of the Registry Removed and rewritten whenever a policy change takes place Provide a more granular level of administrative control over a user s environment 5 Understanding Group Policy Concepts 10 Group Policy benefits Can reduce the TCO for a Windows 2000 network Securing user environment Provides customized environments to meet the user s work requirements 6 Understanding Group Policy Concepts 10 Group Policy Objects GPOs Local GPOs are stored on each Windows 2000 computer Non local GPOs are stored at the domain level within AD GPC Group Policy Container GPT Group Policy Template 7 Understanding Group Policy Concepts 10 Non local GPOs Group Policy container includes version information status information list of extensions policy settings Group Policy template Folder under Sysvol DomainName Policies Identified by it GUID 8 10 Understanding Group Policy Concepts Group Policy template information 9 10 Understanding Group Policy Concepts Group Policy template subfolders 10 Understanding Group Policy Concepts 10 Group Policy template subfolders GPT INI In root folder of each template Enabled Disabled Version 11 10 Using the Group Policy SnapIn Computer Configuration Applies to Computers When system initialized Every user Startup Shutdown Scripts User Configuration Applies to users When logon Logon logoff scripts 12 Group Policy 10 More than 500 settings Software Settings Software installation Windows Settings Desktop settings Administrative Templates 13 Group Policies 10 Computer settings take precedence over user settings Computer settings take effect After refresh interval When OS restarted User setting After refresh interval When new logon 14 Group Policies 10 Policy settings Not Configured Enabled Processed Processed Disabled Not Processed Local Computer policy settings Applied as soon as they are saved 15 10 Understanding Group Policy Concepts Password Policy settings under Windows settings Password History Password age Min Length Complexity Encryption 16 Understanding Group Policy Concepts 10 Account Lockout Policy under Windows settings Duration Threshold Reset Zero must manually reset 17 10 Managing Administrative Templates Registry based GP settings Explanations Can be extended with custom adm files 18 if version 3 10 system adm CLASS MACHINE CATEGORY AdministrativeServices POLICY NoSecurityMenu KEYNAME Software Microsoft Windows CurrentVersion Policies Explorer EXPLAIN NoSecurityMenu Help VALUENAME NoNTSecurity END POLICY POLICY NoDisconnectMenu KEYNAME Software Microsoft Windows CurrentVersion Policies Explorer EXPLAIN NoDisconnectMenu Help VALUENAME NoDisconnect END POLICY 19 10 Understanding Group Policy Concepts Group Policy categories and subcategories 20 10 Understanding Group Policy Concepts Group Policy categories and subcategories 21 Understanding Group Policy Concepts 10 Startup Shutdown Logon and Logoff computer policies can be applied at system startup and shutdown user policies can be applied at logon and logoff combinations of these policies can be used to create complex policy configurations 22 Understanding Group Policy Concepts 10 AD structure and Group Policy GPOs linked to a site apply to all domains within the site GPOs applied to a domain apply to all users and computers within the domain GPOs applied at the OU level apply to all users and computers within the OU Local policies are applied first followed by non local policies Non local policies are applied in the following order site domain OU 23 Group Policy 10 More than 500 settings Software Settings Software installation Windows Settings Desktop settings Administrative Templates 24 Group Policies 10 Computer settings take precedence over user settings Computer settings take effect After refresh interval When OS restarted User setting After refresh interval When new logon 25 Group Policies 10 Policy settings Not Configured Enabled Processed Processed Disabled Not Processed Local Computer policy settings Applied as soon as they are saved 26 Understanding Group Policy Concepts 10 Group Policy Inheritance No override Prevent policies at lower level from taking precedence Block Policy Inheritance 27 Understanding Group Policy Concepts 10 Group Policy Processing Computer vs User Policy processing Synchronous vs Asynchronous processing Computer wins Asynchronous Coputer and User Policies applied at same time In Case of Conflict Install with Elevated Privileges Mudt be set both in Computer and User Periodic Policy processing 90 minute refresh period 30 minute offset Force refresh with SECEDIT 28 Group Policy Planning 10 Change control procedures name of the GPO settings that the GPO applies whether the settings apply to computers or users specific sites domains and OUs to which the GPO applies creation and modification dates list of changes since GPO creation description of changes and reasons for them 29 10 Group Policy Planning Structuring domains and OUs for Group Policy Delegation of permissions will determine where you place OUs in the domain structure GPO location will depend on the structure of your network centralized vs decentralized control 30 10 Group Policy Planning Segmented vs monolithic GPOs Monolithic design few large GPOs implemented at the site or domain level Segmented design smaller GPOs that contain fewer settings Best design is probably a mix of the two 31 Group Policy Planning 10 Cross domain GPO links it is possible but not recommended to create such links as computer startup and logon are significantly